IT Risk Supervision

IT Risk Supervision

Division I/6 is responsible for IT risk supervision of less significant institutions (LSIs), payment institutions and electronic money institutions at the Austrian Financial Market Authority (FMA). The supervisory object is to strengthen these institutions’ resilience in relation to IT risks and cyber threats.

During its supervisory activities, the FMA assists supervised entities in implementing legal standards by communication supervisory expectations in a transparent manner, and making detailed information available on its website.

One particular priority at the FMA is the coordination of cross-sector DORA supervision. The implementation of the requirements set out in the Digital Operational Resilience Act (DORA) requires cross-sector cooperation within the FMA to ensure harmonised, efficient and risk-based supervision for all affected financial market participants.

Further information may be found on the FMA’s DORA microsite.

Advancing digital transformation is accompanied by numerous innovations and efficiency gains for the financial sector, although the challenges for IT security and digital operational resilience in relation to faults, outages or cyber attacks are also increasing.

Within the scope of its IT risk supervision, the FMA monitors how financial undertakings address such challenges and secure their systems against cyber attacks, technical failures and other operational risks.

The Digital Operational Resilience Act (DORA) is a key regulatory instrument for strengthening digital resilience, which has applied since 17 January 2025. For the first time, DORA has created a harmonised European legal framework for the management of ICT risks in the financial sector. Entities are obliged under DORA to have comprehensive safeguards in place in the areas of risk management, incident reporting, digital resilience testing and the management of third-party risk.

The FMA has a broad spectrum of supervisory tools for monitoring IT risks effectively. The objective is not only to enforcement legal standards, but also to promote a constructive and forward-looking supervisory culture in the form of exchanges with supervised entities.

Sectoral dialogues and expert events are a key element of this. Their purpose is to impart supervisory expectations and to enable a structured exchange of knowledge and experience with the market.

The reviewing of legal standards is conducted by combining various supervisory tools, especially ICT governance spot checks, IT on-site inspections (IT OSIs), management talks, fit and proper tests, as well as surveys and self-assessments (digitalisation study/SREP questionnaires). Under the division of competences between the FMA and the OeNB, IT OSIs, and management talks are conducted by the OeNB.